From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Mon Aug 25 2003 - 12:17:46 PDT
A perspective in the aftermath of Slammer, Zlez, Blaster, SoBig,
and others, which have resulted in long hours for departmental
computing support staff, as well as for the hard-working SNS and CNS
folks ...
On November 5, 2002, our campus security officer, Craig Lant, wrote
(as appended below):
>... the reason I don't recommend deploying services on Windows is
>precisely because so many more vulnerabilities are found in Windows
>than in any other platform.
However, Craig tempered this by stating that Windows' market
dominance is the reason that so many Windows vulnerabilities have
been found, rather than any design characteristics intrinsic to this
operating system.
Here's an interesting article, in direct contrast to Craig's assessment:
Rob Pegoraro
"Microsoft Windows: Insecure by Design"
Washington Post, August 24, 2003, p. F07
http://www.washingtonpost.com/ac2/wp-dyn/A34978-2003Aug23?language=printer
Some excerpts, with certain individual points annotated with
bracketed numbers ("[1]"):
>In its default setup, Windows XP on the Internet amounts to a car
>parked in a bad part of town, with the doors unlocked, the key in
>the ignition and a Post-It note on the dashboard saying, "Please
>don't steal this." ...
>
>[1] Windows XP Home Edition ... ships with five ports open, behind
>which run "services" that serve no purpose except on a computer
>network.
>
>"Messenger Service," for instance, is designed to listen for alerts
>sent out by a network's owner, but on a home computer all it does is
>receive ads broadcast by spammers. The "Remote Procedure Call"
>feature exploited by Blaster is, to quote a Microsoft advisory, "not
>intended to be used in hostile environments such as the Internet."
>
>Jeff Jones, Microsoft's senior director for "trustworthy computing,"
>said the company was heeding user requests when XP was designed:
>"What customers were demanding was network compatibility,
>application compatibility." ... Now, Jones said, Microsoft believes
>it's better to leave ports shut until users open the ones they need.
>But any change to this dangerous default configuration will only
>come in some future update.
>
>In comparison, Mac OS X ships with zero ports open to the Internet.
>
>[2] Windows XP, by default, provides unrestricted, "administrator"
>access to a computer. This sounds like a good thing but is not,
>because any program, worms and viruses included, also has
>unrestricted access.
>
>Yet administrator mode is the only realistic choice: XP Home's
>"limited account," the only other option, doesn't even let you
>adjust a PC's clock.
>
>Mac OS X and Linux get this right: Users get broad rights, but
>critical system tasks require entering a password. If, for instance,
>a virus wants to install a "backdoor" for further intrusions, you'll
>have to authorize it. This fail-safe isn't immune to user
>gullibility and still allows the total loss or theft of your data,
>but it beats Windows' anything-goes approach.
>
>[3] Windows XP includes basic firewall software (it doesn't monitor
>outgoing connections), but it's inactive unless you use its "wizard"
>software to set up a broadband connection. Turning it on is a
>five-step task in Microsoft's directions (www.microsoft.com/protect)
>that must be repeated for every Internet connection [e.g. broadband
>or dial-up - Aron] on a PC.
>
>Mac OS X's firewall isn't enabled by default either, but it's much
>simpler to enable. Red Hat Linux is better yet: Its firewall is on
>from the start.
To Microsoft's credit, some of the vulnerabilities in the default
configurations of Windows 2000 and XP have been reported to have been
removed in the company's latest OS, Windows Server 2003. Several of
these reports have attributed these changes to Microsoft's much
touted "Trustworthy Computing" initiative, as discussed on the
company's one-year anniversary page,
<http://www.microsoft.com/presspass/features/2003/Jan03/01-15twcanniversary.asp>.
Another reflection of Microsoft's newfound security consciousness is
its recent, blanket recommendation that customers enable XP's
integral firewall
<http://www.microsoft.com/security/protect/default.asp>.
We can expect to see more changes in this direction from Microsoft
over time, although they might seem slow in coming to beleaguered
campus support providers, at least after the last several weeks :-(.
An outside evaluation of the "Trustworthy Computing" initiative at
the one year mark frankly identifies the long-term nature of this
effort:
Robert Lemos
One year on, is Microsoft 'trustworthy'?
CNET News, January 16, 2003
http://news.com.com/2100-1001_3-981015.html?tag=rn
>"We said that Trustworthy Computing is a 10-year project, sort of
>like (President) Kennedy sending people to the moon," said Scott
>Charney, chief security strategist for Microsoft. "We're (only) a
>year into it. ..."
FYI,
Aron Roberts
Workstation Software Support Group
---------------------------------------------------------------
Date: Tue, 05 Nov 2002 14:18:13 -0800
From: Craig Lant <craig_at_ack.berkeley.edu>
CC: ucb-security list <ucb-security_at_uclink.berkeley.edu>
Subject: Re: [Security] PR regarding attacks, vulnerabilities of
various platforms
Thanks Aron,
This is a very interesting report and can, I think, be useful. I
don't agree with the conclusions drawn in the report. Clearly the
numbers simply reflect the number deployed systems for each platform.
The more systems there are of a particular type out there, the more
attacks you'll see and the more vulnerabilities will be found. Duh!
I certainly don't think it's valid to conclude that SCO Unix and Mac
OS are less vulnerable than the others. It's not that they don't
have as many vulnerabilities. It's just that fewer people are
looking for those vulnerabilities. So, they just aren't found (yet).
On the other hand, the reason I don't recommend deploying services on
Windows is precisely because so many more vulnerabilities are found
in Windows than in any other platform.
Thanks,
Craig
Aron Roberts wrote:
> No flames, please -- just some food for thought regarding the
>security vulnerability of various computing platforms ...
>
> mi2g, a private computer security tools, services, and consulting
>firm in the UK, issued a press release last week
><http://mi2g.com/cgi/mi2g/press/311002.php> (full text below),
>identifying the numbers of 'overt attacks' and 'known software
>vulnerabilities announced' for various software platforms,
>ostensibly for a ten-month or twelve-month period ending at the date
>of the release (October 31, 2002):
>
> Overt Attacks Known Software Vulnerabilities
>Platform (in 2002) Announced (in 2002)
>-------- ---------- ------------------------------
>Microsoft Windows 54% 44%
>Linux 30% 19%
>BSD Unix 6% 9%
>Solaris 5% 7%
>SCO Unix 0.2% 0.5%
>Compaq Tru64 0.02% 1.9%
>Mac OS 0.005% 1.9%
>
> As a rough first approximation, perhaps these numbers might be of
>some value in at least retroactively assessing the risk profiles of
>various OS platforms. (As noted in mutual fund literature: "past
>performance is no guarantee of future returns." ;-)
>
> However, it is very difficult to know how much credence, if any,
>to grant to these or any similar such set of figures (as noted in a
>discussion of some apparent flaws in this press release, below), and
>how any such numbers -- even more credible ones that might be
>available from other sources -- might best be used to inform
>computing policy discussions.
>
>[Long discussion in the original omitted here ...]
>
>Aron Roberts
>Workstation Software Support Group
...
-------------------------------------
Sent via the ucb-security mailing list.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 25 2003 - 12:27:41 PDT